Sparkn

Summary

If STADIUM_ADDRESS gets blaclisted by tokens like JPYC, USDC, USDT, etc. The winners will never be going to get their rewards and funds will be frozen in the contract forever

Vulnerability Details

Rewards are distributed to winners by the organizer or protocol's owner. The main logic function that is used to distribute funds is Distributor._distribute(). That function first does all the percentage calculations and then sends the rewards to the winners based on the percentages & lastly, it sends the COMMISSION_FEE to the protocol (STADIUM_ADDRESS) by calling the internal function Distributor._commissionTransfer().

Rewards tokens are general ERC20 stablecoin tokens, e.g. JPYC, USDC, USDT, DAI, etc.
Most of these tokens (JPYC, USDC, USDT) have a "Blacklist" or "Blocklist". Tokens transfer to the blacklisted addresses always revert.

If STADIUM_ADDRESS gets added to the blacklist of any of the stablecoins (JPYC, USDC, USDT) then calls to Distributor._distribute() will always revert, so the winners will never be going to get their rewards and funds will be stuck in the contract forever (at least until STADIUM_ADDRESS gets out of the blacklist). As STADIUM_ADDRESS is an immutable variable, this can be really problematic for the protocol.

Impact

• Frozen Funds

Tools Used

Shaheen's Vision

Recommendations

There are 2 mitigations for this issue:-

1. Pull the funds instead of Pushing:
   The protocol should add a function in the ProxyFactory to take COMMISSION_FEE after the rewards are distributed.
   Pull > Push is a well-known best practice in the space. So the protocol should consider it to claim the Fees.

2. Make STADIUM_ADDRESS mutable:
   Add a updateStadiumAddr() functionality. So if STADIUM_ADDRESS gets added to blascklist by ay token tommorrow then the protocol can switch up to a new address.